Publikation
Detect, Decide, Explain: An Intelligent Framework for Zero-Day Network Attack Detection
Saif Alzu; Frederic Theodor Stahl; Mohammed Al-Khafajiy
In: Max Bramer; Frederic Theodor Stahl (Hrsg.). Artificial Intelligence XLII (SGAI-AI 2025). SGAI International Conference on Innovative Techniques and Applications of Artificial Intelligence (AI-2025), December 16-18, Cambridge, United Kingdom, Pages 3-17, Lecture Notes in Computer Science (LNAI), Vol. 16302, ISBN ISSN/ISBN: 0302-9743, Springer Nature Switzerland, Cham, 12/2025.
Zusammenfassung
The growing complexity and diversity of network traffic have made the detection of previously unseen cyberattacks a critical challenge. While supervised learning models perform well on known threats, they often fail to generalise to novel attack types. In earlier work, we in-troduced the Unknown Network Attack Detector (UNAD), an unsupervised ensemble-based framework trained exclusively on benign traffic to detect anomalies. This paper presents an enhanced version of UNAD, referred to as UNAD+, which incorporates three key improvements. First, a Weighted Majority Voting (WMV) mechanism replaces majority voting to prioritise stronger detectors and eliminate ambiguous predictions. Second, a supervised refinement stage is introduced, where pseudo-labelled anomalies are used to train a secondary classifier that improves detection accuracy and reduces false positives. Third, a post-hoc explainability layer is added, combining LIME and surrogate tree modelling to provide both local and global interpretability of the system`s decisions. Evaluations on CICIDS2017 and NSL-KDD show that UNAD+ substantially improves detection performance compared with the original UNAD base-line, achieving an F1-score of up to 98.25% and reducing false positives by over 98%, while enhancing transparency and operational suitability through integrated explainability.